Why a Cyber Risk Pool is Essential
A newly released report from Lockton Re, “Cyber Risk Pools and Public-Private Partnerships: Time to Dive In?” highlights the urgent need for a cyber risk pool to mitigate the financial impact of large-scale cyberattacks. The report warns that existing insurance solutions are insufficient to handle systemic cyber threats, leaving governments at risk of becoming insurers of last resort.
That is because these attacks could cripple critical infrastructure and financial markets. Without a risk pool, governments may be forced to act as insurers of last resort, placing significant economic burdens on taxpayers.
Rising Cyber Threats Demand Immediate Action
Cyberattacks have become a systemic risk. The report cites over 420 million cyberattacks in 2023, impacting 160 countries. The wide range of attacks on financial services, healthcare, and transportation have demonstrated the fragility of digital infrastructure. Despite the mounting risks, insurers have hesitated to provide coverage due to the unpredictable nature of cyber threats.
Currently, most cyber insurance policies exclude critical infrastructure and acts of cyber warfare. This leaves businesses and governments exposed to potentially devastating financial losses. The report suggests that a cyber risk pool—a collaborative effort between governments and the insurance industry—could help bridge this gap.
Government as the Insurer of Last Resort
Historically, governments have stepped in to provide financial relief after major disasters, from hurricanes to terrorist attacks. The report argues that cyber threats should be treated similarly. Without adequate insurance coverage, governments may be forced to provide emergency financial aid, much like they did during the COVID-19 pandemic.
The challenge, however, is that cyber risks evolve rapidly. Unlike natural disasters, which have historical data to guide risk assessment, cyber threats are unpredictable. The insurance industry’s cautious approach has resulted in policy exclusions, creating a protection gap that could leave economies vulnerable.
Lessons from Existing Risk Pools
The report examines successful public-private partnerships (PPPs) that have addressed other catastrophic risks. Notable examples include:
- Flood Re (UK) – A government-backed insurance scheme that ensures flood-prone properties remain insurable.
- Pool Re (UK) – A terrorism reinsurance pool that has amassed over £7 billion in reserves, providing financial stability.
- Australian Reinsurance Pool Corporation – Initially created for terrorism coverage, it later expanded to include cyclones and floods.
- Terrorism Risk Insurance Program (US) – Established after 9/11 to maintain market stability following catastrophic terrorist attacks.
These models demonstrate how risk-sharing mechanisms can stabilize insurance markets and ensure continued coverage for high-impact events.
What Would a Cyber Risk Pool Look Like?
The report outlines different models for a cyber risk pool:
- Government as a Last-Resort Insurer
- Private insurers cover manageable risks, while a government-backed fund absorbs extreme losses.
- Hybrid Model
- Distinguishes between insurable cyber risks and “uninsurable” events like cyber warfare. Governments cover the latter.
- Public-Private Pool
- This creates a financial buffer backed by both private insurers and the government. This ensures market stability without fully nationalizing cyber insurance.
Each model has pros and cons, but all share a common goal: ensuring that businesses and critical infrastructure remain protected against major cyber threats.
Challenges and Concerns
Despite its benefits, establishing a cyber risk pool presents challenges:
- Defining a Cyber Catastrophe – What scale of attack would trigger government intervention?
- Funding and Participation – Would participation be voluntary or mandatory? How would costs be shared?
- Risk Boundaries – Cyber threats are global, making national risk pools harder to define.
The report acknowledges these hurdles but argues that delaying action will only make future crises more difficult to manage.
The Path Forward
Lockton Re recommends an incremental, or crawl, walk, run, approach: start with a small-scale cyber risk pool and expand it over time. By doing so, stakeholders can refine policies, address concerns, and build confidence in the system. A well-structured risk pool could increase market participation, improve cyber resilience, and reduce economic fallout from major cyber events.
Josephine Wolff, a cybersecurity policy expert at Tufts University, highlights the importance of proactive planning:
“We don’t have a clear understanding of what the government would consider a catastrophic cyber-attack or what form that help would take. Defining this now, before a crisis hits, is critical.”
Conclusion
A cyber risk pool is no longer a theoretical solution. It has become a necessity. As cyber threats have escalated to the point that every, business, insurer, and governments must collaborate to create a financial safety net. Without proactive measures, economies remain vulnerable to cyber catastrophes that could rival natural disasters in economic impact.
The report makes a compelling case: the time to act is now.
Other News: World Dodged 100 Potentially Catastrophic Hacks Over Past 6 Years: CyberCube (Opens in a new browser tab)
